Articles in this section

Integrate GitHub Container Registry

This topic contains the following sections.

Container Registry Support

GitHub Container Registry integrations support:

  • Registry notification - scans occur for each image push
  • On-demand scans via the API

Integration Setup Overview

Integration setup consists of the following steps:

  1. Create a container registry integration in the Lacework Console
  2. (With notifications) Add a webhook in GitHub for registry notification
    or
    (Without notifications) Set up image assessment through the Lacework API
  3. Whitelist Lacework Outbound IPs

Create a GitHub Container Registry Integration in Lacework

  1. Log in to the Lacework Console with an account with admin permissions.
  2. Navigate to Settings > Integrations > Container Registries.
  3. Click + Create New.
  4. From the Registry Type drop-down, select GitHub Container Registry and click Next.
  5. Complete the required settings.
  6. (Optional) Subscribe to registry notifications by selecting Subscribe to Registry Notifications.

  7. Click Save.
    The integration status displays Integration Successful only after its first assessment completes.

    If you subscribed to notifications, go to Registry Notification. Otherwise, go to Set Up Image Assessment Through the API to set up on-demand scans.

Settings

Setting Name Description
Registry Type Specify the registry type from the drop-down, in this case, select GitHub Container Registry.
Name Specify a unique name for the container registry in the Lacework Console.
Username Specify a user that has permissions to pull the images (that will be assessed) from the container registry.
Password Specify the GitHub token. To generate a new token, go to your organization and navigate to Settings > Developer settings > Personal access tokens > Generate new token. The required permission is read:packages.
SSL Select the checkbox if the registry uses SSL. You can use either a valid SSL certificate issued by a trusted Certificate Authority (CA) or a self-signed certificate. If this is unselected, you are using an unencrypted communication channel.
Registry Domain Specify a domain using one of these formats: YourIP:YourPort or YourDomain:YourPort
Limit by Tag (optional) If you do not want to assess all images in this registry, specify text from an image tag so that only images with matching tag text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. If you specify tag and label limits, they function as an AND. Supported field input: mytext*mytext, *mytext, mytext*, or mytext. Only one * wildcard is supported.
Limit by Label (optional) If you do not want to assess all images in this registry, specify text from an image label so that only images with matching label text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. If you specify tag and label limits, they function as an AND. Supported field input: mytext*mytext, *mytext, mytext, or mytext. Only one * wildcard is supported.

Registry Notification

Lacework can receive notifications that the registry sends in response to events that happen within the registry. When Lacework receives manifest push notifications, Lacework performs an assessment.

When the integration subscribes to notifications, you must add a webhook to include the additional information provided by Lacework.

When you create/edit the integration, the following additional information is available:

  • URL
  • Authorization Token - an integration-specific, long running server token.

The URL and token are available on the Container Registry page. Click the integration name and copy both items from the details pane. The information is required in the next section.

Each integration can have one token. If the integration unsubscribes from notifications and then subscribes again, Lacework uses the same token.

Add a Webhook to GitHub

If you subscribed to notifications, you must add a webhook to your organization and then add the notification listener URL and authorization token.

  1. In GitHub, navigate to the organization where you want to add a webhook.
    NOTE: You must use an organization webhook. Repository webhooks cannot be used.
  2. Select Webhooks.
  3. Click Add webhook.
  4. For Payload URL, paste the integration's URL from the Lacework Console, such as:
    https://YourLacework.lacework.net/api/v1/external/vulnerabilities/container/webhook/ghcr
  5. For Content type, select application/json.
  6. For Secret, paste the integration's authorization token.
  7. For Which events would you like to trigger this webhook?, choose Let me select individual events.
    Then select Package v2s from the list of events.
  8. Select Active.
  9. Click Add webhook.

Set Up Image Assessment Through the API

If you did not subscribe to notifications, you can, for example, make an API call each time an image is built so that Lacework assesses it.

For information about setting up container image assessment, see the Vulnerability API section in the Lacework API documentation.

Whitelist Lacework Outbound IPs

You must whitelist the following Lacework outbound IPs if you want to allow Lacework to communicate with your servers.

35.165.121.10  
35.165.83.150  
52.43.197.121  
34.208.85.38  
35.166.181.157  
52.88.113.199
44.231.201.69
54.203.18.234
54.213.7.200